CreateRestorePoint:
cmd: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\ProgramData\Symantec\Symantec Endpoint Protection\Logs\\"
cmd: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\ProgramData\Symantec\\"
cmd: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\ProgramData\Symantec\Symantec Endpoint Protection\BadPatts\\"
cmd: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\\"
cmd: reg add "HKLM\SYSTEM\ControlSet001\Control\ServiceGroupOrder" /v List /t REG_MULTI_SZ /d "EMS\0WdfLoadGroup\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Virtualization\0FSFilter Encryption\0FSFilter Compression\0FSFilter Imaging\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0Event Log\0AudioGroup\0ProfSvc_Group\0UIGroup\0MS_WindowsLocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0wltrysvc\0iSCSI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0SmartCardGroup\0NetworkProvider\0MS_WindowsRemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions"
cmd: reg add "HKLM\SYSTEM\ControlSet003\Control\ServiceGroupOrder" /v List /t REG_MULTI_SZ /d "EMS\0WdfLoadGroup\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Virtualization\0FSFilter Encryption\0FSFilter Compression\0FSFilter Imaging\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0Event Log\0AudioGroup\0ProfSvc_Group\0UIGroup\0MS_WindowsLocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0wltrysvc\0iSCSI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0SmartCardGroup\0NetworkProvider\0MS_WindowsRemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions"
cmd: reg add "HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder" /v List /t REG_MULTI_SZ /d "EMS\0WdfLoadGroup\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Virtualization\0FSFilter Encryption\0FSFilter Compression\0FSFilter Imaging\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0Event Log\0AudioGroup\0ProfSvc_Group\0UIGroup\0MS_WindowsLocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0wltrysvc\0iSCSI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0SmartCardGroup\0NetworkProvider\0MS_WindowsRemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions"
2015-03-22 01:02 - 2015-03-22 01:02 - 00000000 ____D () C:\ProgramData\Symantec
2015-03-15 11:47 - 2008-08-22 00:23 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy
AlternateDataStreams: C:\ProgramData\TEMP:62E2D794
EmptyTemp: